More feature stories by year:
Return to: 2015 Feature Stories
CLIENT: PRPL FOUNDATION
Oct. 7, 2015: IEEE Computing Now
by Art Swift
The Internet of Things (IoT) has the power to transform our lives, making us more productive at work, and happier and safer at home. But it's also developing at such a rate that it threatens to outstrip our ability to adequately secure it. A piece of software hasn't been written yet that didn't contain mistakes – after all, we're only human. But with non-IoT security experts designing and building connected systems the risks grow ever greater. So what can be done?
In my last blog I highlighted the potentially disastrous consequences that could result from several serious, publicly disclosed vulnerabilities in IoT systems. All of these cases share commonalities which we can use to explore some of the key security challenges facing our industry.
All of the IoT security flaws previously referenced were discovered thanks in part to reverse engineering of proprietary software. Charlie Miller and Chris Valasek did this to expose vulnerabilities in the Uconnect 8.4AN/RA4 system running in a 2014 Jeep, allowing them to remotely control its steering and brakes. Runa Sandvik and her husband Michael Augur did it to hack a smart rifle, enabling them to potentially fire it at a target of their choosing. Billy Rios reverse engineered Internet-connected Hospira drug infusion pumps, enabling him to find flaws which allowed for the possible tampering of dosage volumes.
What do these cases tell us? If security researchers can do this, then the bad guys, in theory, can too. In the past too many programmers have relied on 'security by obscurity,' hoping that their 'secret' proprietary systems would be beyond the reach of most hackers. This simply won't do today. Firmware binary code is usually available online if you know where to look. If it is not, hardware debugging tools such as JTAG can be used to extract a copy of the software from the device itself. And interactive disassemblers like IDA can generate assembly language source code from machine-executable code. In combination with other tools and techniques it is becoming easier than ever to reverse engineer a binary image, work out what it does, then determine where its vulnerabilities are and how to exploit them.
In short, over and over again closed proprietary software has proven to be simply unfit for purpose. Compared to mainstream open source software it represents the path of least resistance for a determined and sufficiently resourced attacker – more on the benefits of the open source security in my next post.
The most dangerous Achilles heel of IoT devices is their connectivity – whether to the public facing Internet or with other networked devices. It gives attackers who have found a weakness in the code a means to hack their victims remotely. On an unprecedented scale, connectivity means an almost limitless number of systems can be hacked simultaneously.
The situation is compounded because many of the engineers tasked with designing and building IoT systems are not experts in network protocols and even less in network security. They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline which requires expert knowledge and extensive debug and testing. And a hardware engineer that takes a correct 'by design' approach may not appreciate the needs for software updates and security patches, or indeed the need for security around the update process itself.
It's unfair to expect mechanical and electrical engineers to shoulder this burden and stay up-to-date with the latest secure development best practices. But their lack of subject matter expertise is leaving systems wide open to attack. Weak implementation of network protocols enabled Miller and Valasek to infiltrate the Jeep's D-BUS via port 6667 left inexplicably open and unauthenticated, for example.
The vast majority of IoT and connected embedded devices can't be regularly patched/updated; these patches and updates also aren't automatically provided by the manufacturer. In instances where the software can be updated, the software should only come from a trusted source.
Miller and Valasek exploited this weakness to modify TI OMAP-DM3730 chip firmware inside the 2014 Jeep and reflash the image, allowing them to reboot and execute arbitrary code. You can install the best alarm system money can buy to protect your house, but if a robber can come along and merely replace it with his own, what's the point of having one? A similar issue has enabled hackers to run a malicious backdoor on various Cisco router models – by inserting an implant the same size as the legitimate Cisco router image.
The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent – it can't be undone via a system reboot, for example. And it gives them privileged access to an affected device. In the case of incidents targeting network routers and home gateways this means an attacker can potentially see and control all the traffic flowing in and out of the corporate or home network.
All of the attacks mentioned above were made possible due to a lack of the internal security controls which limit lateral movement inside targeted systems. It's a strategy used by cybercriminals frequently in targeted attacks to data centers. They gain an initial foothold into an endpoint via malware download, made possible by a spearphishing email or by simply cracking or stealing user credentials. Then they move around laterally inside the network, escalating privileges until they find the real prize – typically a database full of sensitive IP or customer information.
Taking the example again of Miller and Vasadek, their initial incursion was into the car's on-board entertainment system, the head unit. After compromising this they managed to achieve a refresh of microprocessor firmware, allowing ultimately for access to the CAN mcu Renesas v850, and then remote control of the car. Meanwhile, Chris Roberts allegedly managed to reach a part of an aircraft which should have been isolated – its on-board flight systems – by infiltrating the in-flight entertainment facility.
Separation is one of the fundamental principles of security, so it's not only dispiriting to see it ignored in so many cases when it comes to IoT-related system, it's downright dangerous.
As the Internet of Things becomes an ever larger part of our lives, it has found its way into an increasing number of the systems and platforms we take for granted today. These systems control airplanes, automobiles, drug pumps and even rifles. It's critical then that we take proactive steps to lock down the risks that come from software vulnerabilities.
Return to: 2015 Feature Stories